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REMARKS 

Reconsideration and allowance of the subject application in view of the foregoing 
amendments and the following remarks is respectfully requested. Entry of this Amendment 
Under Rule 1 16 is merited as it raises no new issues and requires no further search. 

Claims 1-6 and 13-20 are pending. New claim 20 has been added to secure an 
appropriate scope of protection to which applicant is believed entitled. 

Amended claims 1-6 and 13-20 are patentable over Moran (U.S. Patent 6,647,400) 

A rejection based on 35 U.S. C. §102 requires every element of the claim to be included 
in the reference, either directly or inherently. Moran fails to anticipate the subject matter of 
amended claim 1 as Moran fails to disclose at least routing an event to a template where the 
template comprises a sequence of connected logic nodes. 

The PTO asserts that Moran discloses a template in "the rule set and/or signature 
database use[d] to filter an event as a possible intrusion;" however, Moran appears to recite a 
ruleset 306 and attack signatures database 308 without providing any enabling disclosure as to 
what the ruleset 306 and attack signatures database 308 comprise. Moran appears to describe a 
rule set in terms of the messaging communication between a data source and the analysis engine, 
i.e., "to provide the analysis engine with a specification of the sensor for a data source" and 
"specifying the interactions of the data from the new data source with that from other sources" at 
column 14, lines 13-32. Thus, amended claim 1 is patentable over Moran and the rejection is 
respectfully requested to be withdrawn. 

Further, Moran fails to disclose at least filtering the event, based on a sequence of logic 
nodes of a template, and determining a filename based on the event and outputting the event for 
each event indicating modification of a critical file based upon the determined filename as 
claimed in amended claim 1. Moran appears to describe only that the "administrator . . . [has] 
access to the analysis engine 302 and event database 304" and "sensor controller 310 .. . may 
pass information to the event database 304." Moran at column 8, lines 10-16. Contrary to the 
PTO assertion, Moran fails to disclose communication between rule set and attack signature 
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database and the event database to determine possible intrusions. Thus, amended claim 1 is 
patentable over Moran and the rejection is respectfully requested to be withdrawn. 


For each of the foregoing reasons, amended claim 1 is patentably distinguishable from 
Moran and the rejection should be withdrawn. 

Claims 2-6 and 13 depend, either directly or indirectly, from claim 1, include further 
limitations, and are patentable over Moran for at least the reasons advanced above with respect to 
claim 1. The rejection of claims 2-6 and 13 should be withdrawn. 

Amended claim 14 is patentable over Moran for at least reasons similar to those advanced 
above with respect to claim 1 and the rejection is respectfully requested to be withdrawn. 

Claims 15-20 depend, either directly or indirectly, from claim 14, include further 
limitations, and are patentable over Moran for at least the reasons advanced above with respect to 
claim 14. The rejection of claims 15-20 should be withdrawn. 
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Conclusion 

All objections and rejections having been addressed, it is respectfully submitted that the 
present application should be in condition for allowance and a Notice to that effect is earnestly 
solicited. 

To the extent necessary, a petition for an extension of time under 37 C.F.R. 1.136 is hereby 
made. Please charge any shortage in fees due in connection with the filing of this paper, including 
extension of time fees, to Deposit Account 08-2025 and please credit any excess fees to such 
deposit account. 

Respectfully submitted, 
Mark Crosbie 
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